Symptom

Remote desktop initiation toward a certain server would result in an error message with this verbiage: ‘The trust relationship between this workstation and the primary domain failed.’

Background Information
 
    • Each domain joined computer has a unique computer account SID and a password that resets at a regular interval (30 days by default)
    • The computer account and password authenticates to its domain controller using the Kerberos protocol and store tokens locally
    • Kerberos Token is dependent on a time sync between the localhost and the domain controller
    • Kerberos Version 5 has a default maximum tolerance for computer clock synchronization of 5 minutes
    • If the time sync difference is over a that threshold, that token becomes invalidated and computer cannot authenticate to the domain
    • Once a computer cannot authenticate to the domain, domain users cannot logon to that machine
    • Valid local computer accounts can still logon as that does not depend on Kerberos nor Windows Time.
Probable Cause Analysis
    • The Windows W32Time service has stopped long enough for the computer time to drift past the 5-minute difference – this is most likely the direct cause. To drill down further, one may check OS stability (CPU, RAM, and storage utilization alerts).
    • Network outage or firewall blockage of port UDP/123 – this is unlikely for servers that are physically assigned to a stable location
    • BIOS time is incorrect due to a dead CMOS battery (or no battery as in the case of virtual machines)
Resolutions
  • Immediate options:
    1. Manual change to computer time to match that of the DC
    2. Un-join and rejoin computer to the domain
  • Long-term:
    1. Ensure that server is healthy, having adequate RAM, CPU, and storage resources
    2. No network or firewall problems
    3. W32Time is properly set and running with this config:
      • PDC: ntp.org
      • Other machines: DOMHIER, ntp.org
Categories: